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Abstract 

Determining if two protocols can be securely composed 
requires analyzing not only their additive properties but 
also their destructive properties. In this paper we propose 
a new composition method for constructing protocols based 
on existing ones found in the literature that can be fully au- 
tomatized. The additive properties of the composed proto- 
cols are ensured by the composition of protocol precondi- 
tions and effects, denoting, respectively, the conditions that 
must hold for protocols to be executed and the conditions 
that hold after executing the protocols. The non-destructive 
property of the final composed protocol is verified by ana- 
lyzing the independence of the involved protocols, a method 
proposed by the authors in their previous work. The fully 
automatized property is ensured by constructing a rich pro- 
tocol model that contains explicit description of protocol 
preconditions, effects, generated terms and exchanged mes- 
sages. The proposed method is validated by composing 1 7 
protocol pairs and by verifying the correctness of the com- 
posed protocols with an existing tool. 



1 Introduction 

Security protocols are "communication protocols dedi- 
cated to achieving security goals" (C.J.F. Cremers and S. 
Mauw) [1] such as confidentiality, integrity or availability. 
Achieving such security goals is made through the use of 
cryptography. The explosive development of today's In- 
ternet and the technological advances made it possible to 
implement and use security protocols in a wide range of ap- 



plications such as sensor networks, electronic commerce or 
routing environments. 

Security protocols have been intensively analyzed 
throughout the last few decades, resulting in a variety of 
dedicated formal methods and tools [2, 3, 4]. The majority 
of these methods consider a Dolev-Yao-like intruder model 
[5, 6] to capture the actions available to the intruder that has 
complete control over the network. By analyzing each indi- 
vidual protocol in the presence of this intruder, the literature 
has reported numerous types of attacks [3, 7]. However, in 
practice, there can be multiple protocols running over the 
same network, thus the intruder is given new opportunities 
to construct attacks by combining messages from several 
protocols, also known as multi-protocol attacks [8]. 

Designing new protocols, thus, becomes a challenging 
task if we look at the number of attacks that have been dis- 
covered over the years [7] after the protocols have been pub- 
lished. In the last few years the use of protocol composition 
[8, 9, 10] has been successfully applied to create new proto- 
cols based on existing [11, 12, 13] or predefined protocols 
[9]. 

In this paper we propose a new composition method that, 
as opposed to existing approaches [9, 1 1, 12, 13, 14] can be 
fully automatized by eliminating the human factor. In order 
to create an automated composition method, we need an en- 
riched protocol model that contains enough information to 
compose the protocol preconditions and effects and an ap- 
proach for the verification of the correctness of the final, 
composed protocol. 

Preconditions denote the set of properties that must be 
satisfied for the protocol to be executed, while the effects 
denote the set of properties resulting from the protocol ex- 
ecution. By composing preconditions and effects (i.e. PE 



composition), we generate a new protocol sequence that en- 
sures the satisfaction of the protocol preconditions and the 
propagation of generated information through effects. 

The protocol sequence generated by the PE composition 
must be correct, in the sense that it must maintain the secu- 
rity properties of the original protocols. In order to verify 
this, we use an approach developed in our previous work 
[15] that verifies the independence of the involved proto- 
cols. Protocol independence, called participant chain com- 
position (i.e. PC composition) ensures that the intruder can 
not replay messages from one protocol to another to con- 
struct new attacks while running the protocols in the same 
environment. This property also ensures the correctness of 
the composed protocol. 

The paper is structured as follows. In section 2 we define 
an enriched protocol model that includes explicit descrip- 
tion of protocol preconditions, effects, generated terms and 
exchanged messages. In section 3 we provide a description 
of the proposed composition method and a brief presenta- 
tion of the independence verification method proposed in 
our previous work [15]. The proposed composition method 
has been applied in the composition process of several pro- 
tocols, part of these experimental results are given in sec- 
tion 4. We relate our work to others found in the literature 
in section 5 and we end with a conclusion and future work 
in section 6. 

2 Protocol model 

Protocol participants communicate by exchanging terms 
constructed from elements belonging to the following ba- 
sic sets: P, denoting the set of participant names; N, de- 
noting the set of random numbers or nonces (i.e. "number 
once used"); K, denoting the set of cryptographic keys; C, 
denoting the set of certificates and M, denoting the set of 
user-defined message components. 

In order for the protocol model to capture the message 
component types found in security protocol implementa- 
tions [17, 18] we specialize the basic sets with the following 
subsets: 

• Pdn C P, denoting the set of distinguished names; 
Pud C P, denoting the set of user-domain names; 
Pjp C P, denoting the set of user-ip names; Pu — 
{P\ {Pdn U Pud U Pip}}, denoting the set of names 
that do not belong to the previous subsets; 

• Nt, denoting the set of timestamps; Ndh, denot- 
ing the set of random numbers specific to the Diffie- 
Hellman key exchange; = {N \ {N D h U N t }}, 
denoting the set of random numbers; 

• Kj C K, denoting the set of symmetric keys; Kp>H C 
K, denoting the set of keys generated from a Diffie- 
Hellman key exchange; Kpub Q K, denoting the set 



of public keys; Kppy C K, denoting the set of private 
keys. 

To denote the encryption type used to create crypto- 
graphic terms, we define the following fund ion names: 

FuncName ::= sk (symmetric f unction) 

| pk (asymmetric function) 

| h (hash function) 

| hmac (keyed hash function) 

The encryption and decryption process makes use of 
cryptographic keys. Decrypting an encrypted term is only 
possible if participants are in the possession of the decryp- 
tion key pair. In case of symmetric cryptography, the de- 
cryption key is the same as the encryption key. In case of 
asymmetric cryptography, there is a public -private key pair. 
Determining the corresponding key pair is done using the 
function : K — > K. 

The above-defined basic sets and function names are 
used in the definition of terms, where we also introduce con- 
structors for pairing and encryption: 

T :: =.|R|N|K|C|M|(T,T)|{T} FuncName(T) , 

where the '.' symbol is used to denote an empty term. 

Having defined the terms exchanged by participants, we 
can proceed with the definition of a node and a participant 
chain. To capture the sending and receiving of terms, the 
definition of nodes uses signed terms. The occurrence of 
a term with a positive sign denotes transmission, while the 
occurrence of a term with a negative sign denotes reception. 

Definition 1. A node is any transmission or reception of a 
term denoted as (a, t), with t G T and a one of the symbols 
+, — . A node is written as —t or +t. We use (±T) to denote 
a set of nodes. Let n G (±T), then we define the function 
sign(n) to map the sign and the function term(n) to map 
the term corresponding to a given node. 

Definition 2. A participant chain is a sequence of nodes. 
We use (±T)* to denote the set of finite sequences of nodes 
and (±ii, ±t2, . . . , ±U) to denote an element of (±T)*. 

In order to define a participant model we also need to 
define the preconditions that must be met such that a par- 
ticipant is able to execute a given protocol. In addition, we 
also need to define the effects resulting from a participant 
executing a protocol. 

Preconditions and effects are defined using predicates 
applied on terms: CON -TERM : T, denoting a term that 
must be previously generated (preconditions) or it is gener- 
ated (effects); CON-PARTAUTH : T, denoting a participant 
that must be previously authenticated (preconditions) or a 
participant that is authenticated (effects); CON-CONF : T, 



denoting that a given term must be confidential (precon- 
ditions) or it is kept confidential (effects); CONJNTEG : 
T, denoting that for a given term the integrity property 
must be provided (preconditions) or that the protocol en- 
sures the integrity property for the given term (effects); 
CON-NONREP : T, denoting that for a given term the non- 
repudiation property must be provided (preconditions) or 
that the protocol ensures the non-repudiation property for 
the given term (effects); CONJCEYEX : T, denoting that a 
key exchange protocol must be executed before (precondi- 
tions) or that this protocol provides a key exchange resulting 
the given term (effects). 

The set of precondition-effect predicates is denoted by 
PFLCC and the set of precondition-effect predicate sub- 
sets is denoted by PFLCC*. Next, we define predi- 
cates for each type of term exchanged by protocol partic- 
ipants. These predicates are based on the basic and spe- 
cialized sets provided at the beginning of this section. We 
use the TYPE_DN : T predicate to denote distinguished 
name terms, TYPEJJD : T to denote user-domain name 
terms, TYPE_IP : T to denote user-ip name terms, 
TYPEJJ : T user name terms, TYPEJMT : T to de- 
note timestamp terms, TYPEJJDH : T to denote Diffie- 
Hellman random number terms, TYPEJJA : T to de- 
note other random number terms, TYPE_NDH : T x T x 
T x P x P to denote Diffie-Hellman symmetric key terms 
(term, number i, number ■?, participanti, participant?), 
TYPEJCSYM : T x P x P to denote symmetric key 
terms (term, participanti, participant?), TYPEJiPUB : 
T x P to denote public key terms (term, participant), 
TYPEJCPRV : T x P to denote private key terms 
(term, participant), TYPEJ2ERT : T x P do denote cer- 
tificate terms (term, participant) and TYPEMSG : T to 
denote user-defined terms. 

The set of type predicates is denoted by PFLTYPE and 
the set of type predicate subsets is denoted by PFLTYPE*. 
Based on the defined sets and predicates we are now ready 
to define the participant and protocol models. 

Definition 3. A participant model is a tuple 
{prec, eff, type, gen, part, chain), where prec G PFLCC* 
is a set of precondition predicates, eff G PFLCC* is a 
set of effect predicates, type G PFLTYPE is a set of type 
predicates, gen G T* is a set of generated terms, part G P 
is a participant name and chain G (±T)* is a participant 
chain. We use the MPART symbol to denote the set of all 
participant models. 

Definition 4. A protocol model is a collection of participant 
models such that for each positive node n\ there is exactly 
one negative node n? with term(n\) — term(n?). We use 
the MP ROT symbol to denote the set of all protocol models. 



3 Composition of protocol models 

The composition process involves composing in a first 
stage the protocol preconditions and effects followed by the 
composition of participant chains. In this section we first 
formulate the conditions needed for the precondition-effect 
(PE) composition which involves establishing the satisfac- 
tion of protocol preconditions and the verification of the 
non-destructive properties of protocol effects. This is fol- 
lowed by the protocol-chain (PC) composition for which we 
construct a canonical model and verify the independence of 
the involved participant chains. 

3.1 Composition of preconditions and ef- 
fects 

In the composition process of two security protocols we 
first need to compose the preconditions and effects. In other 
words, we need to establish if the knowledge needed by pro- 
tocol participants to run a given protocol, expressed through 
the form of precondition predicates, is available and if the 
set of precondition and effect predicates is non-destructive. 

In order to establish if the set of preconditions corre- 
sponding to a protocol can be satisfied based on a given con- 
text and the effects corresponding to another protocol we 
use the predicate PARTJ>REC : T* x PR.CC* x PR.CC*. 
The context denotes the initial knowledge available to par- 
ticipants when running the protocol. For two participant 
models, £i = (prec\, eff \,type\, gen\, parti, chainf) 
and q? = (prec?, eff 2 , type?, gen?, part?, chain?), the 
PARTJ^REC predicate is defined as 

PART J>REC(ctx, eff x ,prec?) = 
True, if eff 1 C prec?U , 

{u{CON_TERM(t)\t G ctx}} , 
False, otherwise . 

The non-destructive property applies only for the 
CON-CONF because the absence of another property, such 
as integrity or non-repudiation, does not affect the previ- 
ous properties. In order to establish if the preconditions 
and effects of two participant models are destructive we use 
the predicate PARTJJONDESTR : PR_CC* x PR_CC* x 
PR_CC* which holds only if all confidential terms from one 
participant model maintain their confidentiality property in 
the second participant model also. Thus, the predicate is 
defined as 

PAR TJVONDESTR (eff 1 , prec? ,eff 2 ) = 
'True, if EF 1 ^ CON.CONFV 

if EF 1 = CON.CONF Ah=t 2 then 
3EF?(t?) : EF? = CON.CONF, 
VEF^h) G eff 1 A yPR?(t?) G prec?, 
False, otherwise. 



Based on the above given predicates we can state that in 
order to compose the preconditions and effects correspond- 
ing to two participant models we need to establish if the 
predicates PART_PREC and PARTJVONDESTR hold. The 
precondition-effect (PE) composition is expressed through 
the use of the operator _ -<f E _ : MPART x MPART -> 
MPART, which generates a new participant model based 
on two given participant models. By using this operator, we 
not only express the PE composition of participant models 
but also the order in which the given participant models ap- 
pear in the final, composed participant model. Thus, we can 
state that given two participant models, ci and for which 
the PE composition requirements are satisfied, we have that 
<Ti -<f E q 2 7^ <T2 -<f E Ci- If the operator is applied on two 
participant models that can not be composed (i.e. one of the 
two predicates does not hold), the result is the empty partic- 
ipant model, denoted by fa = ((f), phi, fa fa ., (}), where (j) 
denotes an empty set. 

The PE composition requirements of two participant 
models can be easily extended to form the requirements for 
the PE composition of two protocol models. These require- 
ments include applying the _ ~<f E _ operator on pairs of 
participant models for which the names are equal. We ex- 
press the PE composition of two protocol models through 
the use of the _ . : MP ROT x MP ROT -» MP ROT 
operator. For this operator also, we can state that given 
two protocol models, £1 and £ 2 , for which the PE composi- 
tion requirements are satisfied, we have that £1 -< PE & ^ 
£2 -<f E £1 • In case of protocol models that can not be com- 
posed, the result is denoted by the empty protocol model 
fa = 4>- 

3.2 Composition of participant chains 

The PC composition makes use of a canonical model 
that focuses on terms that can be verified by protocol par- 
ticipants. For each term the canonical model provides a 
corresponding syntactical representation through the use of 
basic types. These denote the terms that can be verified 
by protocol participants also including a representation for 
terms that can not be verified because of limited participant 
knowledge. The verification process makes use of these 
types to decide if attacks can be constructed on each pro- 
tocol model by using terms extracted from the other consid- 
ered protocol models. 

In order to compose two participant chains these must be 
instance independent and canonical independent. The first 
condition refers to the non-destructive properties of precon- 
ditions and effects while the second condition refers to ver- 
ifying the independence of the involved participant chains 
based on the canonical model. The verification of the in- 
dependence property of protocol models has been covered 
by the authors in their previous work [15]. If protocols 



are independent, then they maintain their security properties 
when they are run in the same context. By using this prop- 
erty in the composition process, protocols maintain their se- 
curity properties, resulting new protocols with accumulated 
properties. 

In the remaining of this section we briefly present the 
canonical model and the protocol independence property 
proposed in our previous work. 

The basic types we consider are based on the specialized 
basic sets introduced in the protocol model: 

BasicType ::= | p UD \ p IP | p^ | n T n DH 

I n A I K I m I c I u, 

where the given symbols correspond to participant distin- 
guished names, user-domain names, user-ip names, other 
user names, timestamps, Diffie-Hellman random numbers, 
other random numbers, keys, user defined terms, certificates 
and unknown terms, respectively. 

The unknown type U corresponds to terms that can not 
be validated because of limited participant knowledge. By 
including this information in the specification we are able to 
detect subtle type-flaw attacks using a syntactical compar- 
ison of typed terms, that otherwise would require the con- 
struction of a state-space that can become rather large if we 
consider the existence of multiple protocols in the same sys- 
tem [16]. 

Based on the defined basic terms we can now proceed 
with the definition of canonical terms: 

T ::= . I BasicType | (T, T) | {T} FuncName(T) . 

A canonical node is defined as a signed canonical term 
using the following definition. 

Definition 5. A canonical node is any transmission or re- 
ception of a canonical term denoted by (a, t), with t S T 
and a one of the symbols +,—. We use (±T) to denote a set 
of canonical nodes. Let n € (±T), then we define the func- 
tion csign(n) to map the sign and the function cterm(n) to 
map the canonical term corresponding to a given canonical 
node. 

Before we proceed with the definition of canonical 
chains and canonical participant models we need to define 
classifiers. These are attached to participant chains and are 
used to transform canonical terms received from other par- 
ticipants based on local participant knowledge. We define 
two such classifiers: 

Classifier ::= CLp \ CLy- 

The first classifier CLp denotes the processing chain 
corresponding to a participant. This chain contains canon- 
ical terms that correspond to participant knowledge. The 
second classifier CLy denotes the virtual chain used to 



transform received terms from the transmitted form to the 
received form based on the knowledge of the receiving par- 
ticipant. 

Definition 6. A canonical participant chain is a sequence 
of canonical nodes. A classified canonical participant chain 
is a pair (CL, l cc ), where CL G Classifier and l cc G 
(±7~)*. We use (±T)* to denote a set of canonical partici- 
pant chains. 

Definition 7. A canonical participant model is a pair 
(part, sl cc ), where part G P is a participant name and 
sl cc G (Classifier x (±T)*)* is a set of classified canon- 
ical participant chains. We use MPART-C to denote the set 
of all canonical participant models. 

Next, we define a canonical protocol model as a set of 
canonical participant models. 

Definition 8. A canonical protocol model is a collection 
of canonical participant models such that for each posi- 
tive canonical node m there is exactly one negative canon- 
ical node ri2 with cterm{n\) = cterm(ri2). We use the 
MPROT-C symbol to denote the set of all canonical proto- 
col models. 

Based on the described protocol and canonical models, 
we proved, through the form of a proposition, that if two 
protocol models are instance independent and their corre- 
sponding canonical models are canonical independent, then 
the intruder can not construct attacks using terms extracted 
from other protocols. In order to verify this we used an 
intruder model based on the Dolev-Yao [5, 6] model to cap- 
ture the powers that can be used by an intruder. 

If two protocol models are independent, then their par- 
ticipant chains can be composed. We use the _ -<f c _ : 
MPART x MPART -> MPART operator to denote the 
PC composition of protocol chains and the _ -<£ _ : 
MP ROT x MP ROT MP ROT operator to denote the 
PC composition of protocol models. For the first operator 
we use <j> q to denote the empty participant model, while for 
the second operator we use <j>^ to denote the empty protocol 
model. 

If two protocol models can be composed PE and PC, then 
they can be composed. The composition operator we use 
to denote the composition of protocol models is _ -< c _ : 
MP ROT x MP ROT -> MP ROT, for which the generated 
empty protocol model is denoted by <p^. 

By sequentially composing several protocol models the 
resulting protocol model provides a unified set of precondi- 
tions and effects and a unified set of participant chains. By 
composing i protocols, the resulting sequence is written as 



3.3 Composition algorithm 

The proposed composition method can be applied on 
protocol pairs or entire protocol sequences. Let SEQ\ and 
SEQ2 be two protocol sequences, where each sequence 
is constructed by subsequently applying the _ -< c _ op- 
erator on protocol pairs, and n, m, two symbols denoting 
the number of protocols in the first and in the second se- 
quence, respectively. Then, the composition algorithm must 
ensure that the new composed sequence maintains the secu- 
rity properties of the original protocols and that the knowl- 
edge available to protocol participants allows the execution 
of the new sequence. Verifying if protocols from the two 



Algorithm 1 Composition steps 

{Verification of non-destructive properties} 
for all £1 G SEQx and £2 G SEQ 2 do 
for all ft G £1 and ft G £2 do 

Let<n = (preci,eff 1 ,typei, gem, parti, chaim), 
q 2 = (prec2,eff 2 ,type2,gen2,part 2 ,chain 2 ), 
ci = PAR TJJONDESTR (eff 1 , prec 2 ,eff 2 ), 
c 2 = PARTJ^ONDESTR(eff 2 ,prec u eff 1 ) 
if ci = False V c 2 — False V ft -<f ° ft = 0? 
then 

©InterruptExecution 
end if 
end for 
end for 

{Composition of protocol sequences} 
Let i = 1, j = 1 

Let £ = {(<j>, PRINIT, UNIT, <f>, ., </>)} 
while i < n A j < to do 

Let be the i-th element of SEQi 

Let l j be the j-th element of SEQ 2 

iff -<£ £V0£ then 

e = e ^? e, i = 1 + 1 

else iff -<f £^<t>i then 

e = z-q ?, i = i + 1 

end if 

if ^ -<f & + ^ then 

£ = fti=j-i 
else iff' -<£ then 

Z = ^f &,j = j + l 
end if 
end while 

{Add remaining protocols} 
while i < n do 

e = £ e, i = % + 1 

end while 
while j < to do 

end while 



sequences maintain their security properties requires apply- 
ing the PARTJ40NDESTR predicate on each protocol pair 
and the verification of the independence of the participant 
chains by using the PC composition operator _ -<^ c _. As 
shown in Algorithm 1, if one of these conditions is not 
satisfied, the execution is stopped, symbolized using the 
©InterruptExecution keyword. 

If the protocol properties are not destructive, the execu- 
tion of the composition algorithm continues with the com- 
position of protocol components. The final protocol is de- 
noted by £, which, initially, contains a participant model 
with the effects PRINIT and types TINIT. These denote the 
initial knowledge for protocol participants, extracted from 
the context ctx, a unified context constructed from the con- 
texts corresponding the the two sequences. 

The composition process locates the position of each 
protocol in the final sequence by using the composition op- 
erator _ _. If the result is </> ? , the protocols can not be 
composed and another pair is selected. Finally, the remain- 
ing protocols are added to the sequence. 

4 Experimental results 



Table 1. Protocol composition results 



Protocol 1 


Protocol 2 


PE 

(S1/S2) 


PC 

(S1/S2) 


Scyther 


J_AJ w C JJ 


ISD9798 


N/Y 


Y/Y 


Y/Y 


T nwp-R 


X509vl 


N/N 


Y/Y 


Y/Y 


TS09798 


X509vl 


Y/Y 


Y/Y 


Y/Y 


IS09798 


X509vlc 


Y/Y 


Y/Y 


Y/Y 


X509vl 


X509v1c 

/VJU7 V J. \^ 


Y/Y 


Y/Y 


Y/Y 


X509vl 


X509vlc 


Y/Y 


Y/Y 


Y/Y 


RAN-RPC 


T nwp-R 

> W \^ JJ 


Y/Y 


N/N 


N/N 


L-D-S 


K-Cvl 


Y/Y 


N/N 


N/N 


K-Cvl 


K-Cv2 


Y/Y 


Y/Y 


Y/Y 


L-D-S 


Kerbv5 


Y/Y 


N/N 


N/N 


I .owe-TCerh 


Neuman-S 


Y/Y 


N/N 


N/N 


H-N-S 


Neuman-S 


Y/Y 


Y/Y 


Y/Y 


Needh-S 


X509vl 


Y/N 


Y/Y 


Y/Y 


L-N-S 


IS09798 


Y/N 


Y/Y 


Y/Y 


Otway-R 


Lowe-B 


Y/N 


Y/Y 


Y/Y 


SPLICE 


Needh-S 


Y/Y 


Y/Y 


Y/Y 


TMN 


Andr-RPC 


Y/N 


Y/Y 


Y/Y 


Y-L 


K-Cvl 


Y/Y 


N/N 


N/N 



In order to validate the proposed method we generated 
several new composed protocols, based on existing ones. In 
order to verify if the new protocols accumulated the prop- 
erties of the initial protocols, i.e. the composition is non- 
destructive, we applied the method proposed in this paper. 
However, such a verification is not enough for validating a 
method that must ensure the correctness of the resulted pro- 
tocols, as shown by the large number of attacks discovered 
on protocols long after they have been published [3, 7]. 

Having these in mind, we turned to existing protocol ver- 
ification tools. The purpose of the verification was to de- 
termine if new attacks became available on the composed 
protocols. One of the few tools allowing the verification 
of multi -protocol attacks is Scyther [4], which is the only 
tool currently available that also detects type-flaw attacks 
[19, 20], commonly found in multi-protocol environments. 

We have applied our method on several pairs of secu- 
rity protocols defined in the library maintained by Clark 
and Jacob [21], for which there is also an online version 
available [22]. Through our experiments we composed pro- 
tocol pairs such as CCITT X.509 vl (i.e. X509vl) and 
CCITT X.509 vie (i.e. X509vlc), BAN Concrete RPC (i.e. 
BAN-RPC) and Lowe-B (i.e. Lowe-BAN), Lowe-Denning- 
Sacco (i.e. L-D-S) and Kao-Chow vl (i.e. K-Cvl), Lowe- 
Kerberos (i.e. Lowe-Kerb) and Neuman-Stubblebine (i.e. 
Neuman-S), Hwang-Neuman-Stubblebine (i.e. H-N-S) and 
Neuman-Stubblebine, Needham-Schroeder (i.e. Needh-S) 
and CCITT X.509 vl, Lowe-Needham-Schroeder (i.e. L- 
N-S) and IS09798, Otway-Rees (i.e. Otway-R) and Lowe- 
BAN, Yahalom-Lowe (i.e. Y-L) and Kao-Chow vl, as 



shown in Table 1 . The non-destructive property of the com- 
posed protocol was validated using the Scyther tool. 

In Table 1, SI indicates the protocol composition se- 
quence P1-P2, while S2 indicates the sequence P2-P1. We 
used "Y" to indicate the successful composition of a se- 
quence and "N" the failure of the composition process. By 
applying the proposed non-destructivity conditions we have 
discovered several new multi-protocol attacks. For exam- 
ple, in case of the protocol pair Yahalom-Lowe and Kao- 
Chow, we discovered a new attack that gives the intruder 
the possibility to replay valid messages from the Kao-Chow 
vl (i.e. K-Cvl) protocol into the Yahalom-Lowe (i.e. Y-L) 
protocol. We have created a composed protocol and used 
the Scyther tool to verify it. The result was that 2 new at- 
tacks were possible. After correcting the problem by adding 
additional terms to the protocols messages in order for par- 
ticipants to be able to verify the validity of these messages, 
the Scyther tool did not detect any attacks, which was also 
confirmed by our method. 

5 Related work 

In this section we briefly describe the approaches found 
in literature that mostly relate to our proposal. 

In [14], Guttman proposes a composition method based 
on predefined protocol primitives that are used to construct 
new, composed protocols. A similar approach is proposed 
by Choi [9], that additionally defines bindings in order to 
correctly connect different primitives. The previously men- 



tioned approaches have not been designed to compose ex- 
isting protocols, as the one proposed in this paper. We have 
only mentioned them here for completeness. 

A. Datta et all [11, 12] propose the description of each 
composed protocol and of the final protocol as a set of equa- 
tions. The composition process starts out from the initial 
protocol equations and tries to reach the properties modeled 
by the final equations. By doing so, they also prove the 
correctness of the final protocol. In case of this approach, 
the human factor plays an important role. As opposed to 
this, our approach can be fully automatized, eliminating the 
interference of the human factor. 

The approach proposed by S. Andova et all [13] also 
uses equations written for each protocol and for each se- 
curity property that must be satisfied by the final proto- 
col. The composition process uses the human operator 
to construct the final properties from the initial equations 
and the Scyther [4] tool to automatically verify the correct- 
ness of the composed protocols. This approach is a semi- 
automatized one that uses the human operator to construct 
the final properties and an automatic verification tool for the 
verification of the correctness of the final protocol. 

6 Conclusion and future work 

We have developed a method for the composition of se- 
curity protocols. The novelty of our approach is the fact that 
it provides a syntactical verification of the involved proto- 
cols, that makes it appropriate for on-line automated com- 
position applications. 

Our proposal makes use of an enriched protocol model 
that embodies protocol preconditions and effects. Mes- 
sages exchanged by participants are modeled as sequences 
of nodes called participant chains. Based on this model we 
proposed conditions for the precondition-effect composi- 
tion. This process involves determining if sufficient knowl- 
edge is provided by previous protocols and if instance- 
specific security properties are maintained even after the 
composition. 

The protocol-chain composition process makes use of 
a canonical model that eliminates message component in- 
stances. This model reduces each component of the proto- 
col model to its basic type. By doing so we are able to verify 
the instance-independent components of security protocols 
and detect multi-protocol attacks in a syntactical manner. 

We have applied the proposed composition method on 
several pairs of well-known security protocols and have 
found new multi-protocol attacks. Our independence veri- 
fication method has been validated using the security pro- 
tocol verification tool Scyther, a state-space exploration 
method, by discovering the same multi-protocol attacks. 

As future work, we intend to use the proposed composi- 
tion method in the design process of new protocols for Web 



services. This would allow us to implement more complex 
protocols, such as TLS [23], currently used as a binary se- 
curity protocol, using an XML message format that would 
enrich the properties of TLS with the ones specific to Web 
services such as extensibility or flexibility. 
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